Firewall and ftp, why is proxmox blocking it?

K

Kordian

Member
Mar 31, 2018
26
0
21
51
Hello,
I have 6.1.3 version.
I enabled firewall on datacenter, container and a vm machine, run
modprobe ip_conntrack_ftp
but still the ftp is not working. Opened the macro ftp. I read some forums that you have to enable ports 34000:65535 and did that, I still receive:
101 3 tap101i0-IN 15/Oct/2020:18:51:30 +0200 policy DROP: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 MAC=xxx SRC=xxx DST=xxx LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=4152 DF PROTO=TCP SPT=32902 DPT=33507 SEQ=941436231 ACK=0 WINDOW=14600 SYN
101 3 tap101i0-IN 15/Oct/2020:18:51:30 +0200 policy DROP: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 MAC=xxx SRC=xxx DST=xxx LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=2970 DF PROTO=TCP SPT=45752 DPT=33653 SEQ=1959938981 ACK=0 WINDOW=14600 SYN
Why is it so difficult for proxmox to open ftp? I have a physical firewall and no issues there.
Thank you in advance for help!
 
The datacenter firewall is solely responsible for the traffic from and to the nodes.
If you want to enable traffic from and to a VM, you have to define that in the VM firewall.
 
I know that. As long as I define the firewall and enable it on the datacenter and container, ftp is working.
When I enable it on the vm, the traffic is blocked. Partially, as logon gets through.
 
do you have any rules set for the firewall? if not try to add for in/out tcp on port 21 :)
 
so,

- if you run `ss -tunlp` on vm you will get an entry like:
tcp LISTEN 0 128 [::]:21 0.0.0.0:* users:(("ftp",pid=000,fd=0))
?

and
- `nmap -p21 your.vm.ip` from proxmox node - will tell you the node is open/close or filtered?

do you have any fw's on vm? firewalld for example?
 
Last edited:
Yes, running ss -tunlp shows the proftpd port 21 listening.
Running nmap returns:
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-28 18:47 CET
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.00024s latency).

PORT STATE SERVICE
21/tcp open ftp
MAC Address: XXX (Unknown)
This works fine with firewall enabled on node and vm.
But when firewall is enabled on both node and vm, when connecting through ftp, after logging the log on both nodeand vm starts displaying:
101 3 tap101i0-IN 28/Oct/2020:18:48:35 +0100 policy DROP: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 MAC=xxx SRC=xxx.xxx.xxx.xxx DST=proftpdserverip LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=9797 DF PROTO=TCP SPT=50047 DPT=34925 SEQ=467163901 ACK=0 WINDOW=65535 SYN
Six entries with different source and destination ports and the ftp connection is broken.
If I disable firewall on vm (on node still active),the ftp works.
External firewall is also present, but it worked without problems before migrating the ftpserver to proxmox vm.
 
OK, solved it myself. You need to configure the proftpd to limit the passive ports, and then enable them on firewall.
Or has anybody any other idea?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back